Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get a percentage out of 2 queries?

kvanwagoner
New Member
‎06-04-2019 04:26 AM

I've got 2 search queries that are working for me (Thanks to @harshpatel)

Query #1 returns the average # of successes over the last 7 Days.

"A PUT was made to OpenAAA API - Status: OK" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

Query #2 returns the average # of failures over the last 7 Days.

"A PUT was made to OpenAAA API - Status: 1" | spath AppID | search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time | stats avg(prod)

How can I find out the percentage of failures based on these 2 queries? AVG # of Failures divided by AVG # of Successes

Example. 100 success and 50 failures .... Percentage of Failures would be 50%)

Any help will be greatly appreciated!

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎06-04-2019 01:31 PM

@kvanwagoner Try this -

 "A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
 | search AppID=200296 Environment=prod | timechart count(eval(status="OK")) as success, count(eval(status="1")) as failures| bin span=7d _time 
 | stats avg(success) as S, avg(failures) as F| eval pct=( F * 100 ) / S

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎06-04-2019 01:31 PM

@kvanwagoner Try this -

 "A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
 | search AppID=200296 Environment=prod | timechart count(eval(status="OK")) as success, count(eval(status="1")) as failures| bin span=7d _time 
 | stats avg(success) as S, avg(failures) as F| eval pct=( F * 100 ) / S
0 Karma
Reply
Solved! Jump to solution

kvanwagoner
New Member
‎06-05-2019 05:47 AM

Thanks @Vijeta . That works great!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2019 06:42 AM

Try combining the two queries.

"A PUT was made to OpenAAA API - Status: *" | rex "Status: (?<status>\w+)" | spath AppID 
| search AppID=200296 Environment=prod | timechart count by Environment | bin span=7d _time 
| stats count, count(eval(status="OK")) as successes, count(eval(status=1)) as failures | eval pct=(failures*100)/successes
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kvanwagoner
New Member
‎06-04-2019 08:13 AM

Thanks @richgalloway
This is returning
count=08
failures=0

successes=0
The two separate queries return 359 success and 7 failures. Which would be around 1.9%

Any ideas?

0 Karma
Reply
Solved! Jump to solution

kvanwagoner
New Member
‎06-04-2019 11:07 AM

@harshpatel any ideas on this?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...